oss-sec mailing list archives
Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks
From: cve-assign () mitre org
Date: Wed, 23 Apr 2014 12:27:51 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It is possible to reconfigure the network on Linux by calling write(2) on an appropriately connected netlink socket. By passing such a socket as stdout or stderr to a setuid program, anyone can reconfigure the network.
http://marc.info/?l=linux-netdev&m=139820127225921&w=2
Andy Lutomirski when looking at the networking stack noticed that it is possible to trick privileged processes into calling write on a netlink socket and send netlink messages they did not intend. In particular from time to time there are suid applications that will write to stdout or stderr without checking exactly what kind of file descriptors those are and can be tricked into acting as a limited form of suid cat. In other conversations the magic string CVE-2014-0818 has been used to talk about this issue.
First, CVE-2014-0818 is not the correct CVE ID. CVE-2014-0818 is associated only with a vulnerability in AutoCAD. A CVE ID of CVE-2014-0181 was in the Subject line. Also, there are two messages that discuss apparently distinct types of security issues, suggesting that two or more CVE IDs may be needed: http://marc.info/?l=linux-netdev&m=139820138225967&w=2 "The caller needs capabilities on the namespace being queried, not on their own namespace. This is a security bug, although it likely has only a minor impact." (The patch is in the packet_diag_dump function in net/packet/diag.c, but the issue originally was in the sock_diag_put_filterinfo function in net/core/sock_diag.c.) http://marc.info/?l=linux-netdev&m=139820147526004&w=2 "verify that the opener of the socket had the desired permissions as well" - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTV+jvAAoJEKllVAevmvmsR6oH/0AlC8kHSHbG1bMA8LR1zuGi dql/ePdiy0xZCaXK/2qjKmwF+F6DwYukmLqZsnpxhKPZImjTnTsK/Ij7fxID6sH2 b8YfB3H9ZmTjsh6q1SKXcj+vXphORktcrL0KjpgfGRQGexEa95o+1j0Vlrpk+Jdt +g6RWUrVRFanBF+zE3DNSPI4Pza4BB+XoOrjEAVfp1AmizbObzaazY+UOQKZDi6m FzmjErQtqViG0YMV7h8b1ktHF8+RjVT2cvFCPYs4Gmae7WOXiPxN+dngkvtJGQg7 1nH2jQOd6FhIN4HWLiL1xSTlst3bATxntC6aOPyx+KnFxQIomCMocS/6UecRWbI= =XHpW -----END PGP SIGNATURE-----
Current thread:
- CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks Andy Lutomirski (Apr 22)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks Andy Lutomirski (Apr 22)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks cve-assign (Apr 23)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks Andy Lutomirski (Apr 23)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks Eric W. Biederman (Apr 23)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks cve-assign (Apr 23)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks Andy Lutomirski (Apr 28)
- Re: CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks Andy Lutomirski (Apr 22)